hardware

Meet Meltdown and Spectre

How a Hardware Security Flaw Became 2018’s First Major Cybersecurity Issue

2018 is less than a fortnight old and we already have the biggest security issue of the year. Daniel Davies takes a look at the security nightmares that have been branded Meltdown and Spectre, and debates what their existence means for Moore’s Law

If there was a league table of security flaws then surely the two major – and we can’t stress major enough – security flaws recently revealed in the microprocessors inside nearly all of the world’s computers would place pretty high. At the very least they’d be in Champions League contention. These vulnerabilities, named Meltdown and Spectre, have existed for decades and could let hackers access the entire memory contents of computers, mobile devices and cloud computer networks.

Most Intel processors implement out-of-order execution; a lot of modern CPUs work out of order, executing code not based on its original order in the program but instead by which input data is available when. Pretty much every processor made since 1995 works this way, and is now at risk of being affected by Meltdown. Since the initial reports, another chip maker, ARM, has revealed some of its processors are also affected.

The larger issue, though, is with Spectre, which calls into question the way all processor manufacturers design their chips, with an emphasis being placed on speed ultimately leaving them vulnerable to security issues. Almost every system is affected by Spectre: desktops, laptops, cloud servers, as well as smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable.

Attacking the basic building blocks of cybersecurity

Although they share similarities, the two security flaws are different. Meltdown, which has been described as “one of the worst CPU bugs ever found” by one of the researchers who discovered it, breaks the mechanism that keeps applications from accessing arbitrary kernal memory, and consequently enables a user process to read kernel memory.

Spectre, on the other hand, is a name covering two different exploitation techniques. Spectre essentially breaks the isolation between different applications and allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

What’s so scary about these vulnerabilities is that they basically attack the basic building blocks of what makes computers secure. The whole reason your browser is so secure is because it’s an isolated process; it works that way because the CPU doesn’t want that isolated process to look at memory outside of it, so this is an attack on that basic foundation of security.

The logos for Meltdown and Spectre, which were designed by Natascha Eibl

So how do you fix it? Well patches are going out and it appears that a fix for Meltdown is mitigating vulnerabilities. Because the issues Spectre highlights are so fundamental though, the easy fix would be to just stop doing the things responsible for speeding things up, so just sort of roll back this innovation in chip processing. In other words, roll back and rip up Moore’s Law.

In a press release, Intel said that with its patches “performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” and Google said the software fixes that have begun to appear "introduce minimal performance impact".

“Patching Meltdown and Spectre has been significant enough an act to draw complaints.”

However, in reality, patching Meltdown and Spectre has been significant enough an act to draw complaints. As reported in the Register, who broke the initial story at the beginning of January, Quora, which relies on AWS, on Saturday said it is "facing a slowdown due to the patch applied by AWS for Intel's Meltdown and Spectre issues."

It is estimated that processing power in devices could be slowed down by as much as 30%, which looked at another way is like turning back the clock on Moore’s Law by two years. It’s an insane thing to have to do to technology because we buy new products because they work faster.

To have to go backwards and work slower is a strange scenario, and the age when developers grab the lowest hanging fruit when it comes to improving processing power is over. Ultimately, though, if given the option of having a device that is faster but less secure or a device that works slower, but keeps your information safe there really is only one choice. So maybe taking one step backwards – albeit, a rather large step – to take two forward isn’t such a bad move.

Share this article

PR nightmares: Ten of the worst corporate data breaches

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang